Limiting the size of a HTTP post request on JBoss
maxPostSize
defines how big a POST can get before Tomcat will "automatically" parse it, whatever that means.
If you're doing this for security reasons, you need to think twice about how you do it. A DOS attack isn't going to conveniently announce its size as an HTTP request header, it's just going to send data until your server falls over.
You could check the Content-Length
header of the request, and reject it immediately if it's not present, or too big, but you run the risk of rejecting genuine clients that don't supply the header, which many won't.
Otherwise, you're just going to have to read the request data until it crosses a threshold, and then reject it.
Either way, the container can't help you much.
Aveen
Updated on June 08, 2022Comments
-
Aveen almost 2 years
I am using Jboss 4.2.3 as an appserver. Is there a way to limit the size of the HTTP Post request accepted by JBoss? I want to limit the size to avoid DOS attacks.
I already sat maxHttpHeaderSize and maxPostSize in the server.xml, but neither of them seem to make any difference.
-
BalusC about 14 years+1 and a DDOS attack is not only sending large data. It's also a happening of thousands of simultaneous requests at once.
-
jwenting almost 4 yearsthis is correct for WildFly, not for JBoss classic.
-
Jerry almost 4 yearsThanks @jwenting for your feedback. I'm running jboss-eap-7 standalone mode and it works, and for domain mode I have to set max-post-size for ajp-listener. Can you enlight me please?
-
jwenting almost 4 yearsEAP7 is the commercial version of Wildfly :) Classic is JBoss4 (and maybe 5), which have a completely different architecture. They're also very old (think 10+ years) but still in use.
-
Jerry almost 4 yearsThanks @jwenting again for this info. For this old version, we should look into the manual or the source code directly.
-
jwenting almost 4 yearsWhich is what the other 2 answers did 10 years ago :)